Commit Graph

44693 Commits

Author SHA1 Message Date
Sahil Batra 8528914131 settings: Fix live update code for realm-level user defaults section.
Previously, on receiving udpate event of realm-level default setting,
we updated the whole page, but this might be problematic now in case
where user has edited settings in two subsections with save/discard
button still present and if user clicks on save button of one
subsection then the setting in other subsection also resets to its
original value as whole page is updated.

So, this commit changes the behavior to only update the changed
setting and not affecting other settings similar to what we do
in 'Organization settings' and 'Organization permissions' sections.

We also do not call 'settings_display.report_emojiset_change' when
realm-level default of emojiset setting is updated because we now
uses save/discard widget.
2021-10-07 10:16:28 -07:00
Sahil Batra eed0a14ab0 settings: Use save-discard widget in realm-level defaults section.
This commit adds save-discard widget in the realm-level defaults
section. We use most of the functions used in settings_org.js
by passing for_realm_default_settings and add conditionals
according to it.

Some of the major changes wrt to the organzation settings code
are -

- We use element name attribute here to get the setting name from
element instead of id. We can add id for the elements here but
there is a problem doing so for the emojiset setting as for the
radio buttons we use four different input elements and all being
for the same setting.

- Added separate cases in discard_property_element_changes and
get_input_element_value to handle the radio buttons.

- We do not need get_complete_data_for_subsection here because
all settings are controlled by single field in DB and single
element in UI and thus we can simply get changed setting values
from populate_data_for_request.

- Added org-subsection-parent to the subsection container and
prop-element to the input and select elements so that we can
use the existing code.

- Modified get_subsection_property_elements to just return the
input element which is selected for emoji-settings subsection and
not all the input elements because we only need the selected value
of emojiset. We need other elements also when discarding the changes
but we handle it separately.
2021-10-07 10:16:27 -07:00
Sahil Batra 87a759c32d settings_org: Move save-discard widget click handlers to a function.
This commit moves all the click handlers used for controlling the
behavior of save/discard widgets to a separate function such that
it can be used for realm-level default section also. This function
has container and patch_url as parameters.
2021-10-07 10:12:10 -07:00
Sahil Batra 71ba76d05e settings: Adjust sequence of click handlers in notification settings.
This commit reorders the click handlers in notification settings,
such that we can easily move the click handlers for realm-default
settings to settings_realm_user_settings_defaults.js by returning
early.
2021-10-07 10:12:10 -07:00
Sahil Batra a7b14756ec settings_org: Use admin-realm-form class in save-discard click handlers.
We use 'admin-realm-form' class as selector in save-discard click
handlers instead of 'organization' which includes all the organization
settings sections, but save/discard widget is used only for some
sections and all of them are inside the form with class 'admin-realm-form'.

This will also help us to avoid code duplication when changing the realm
level defaults section to use save-discard widget.
2021-10-07 10:12:10 -07:00
Sahil Batra 774026396b settings_org: Add patch_url parameter to save_organization_settings.
This commit adds patch_url parameter to save_organization_settings
function such that we can use the same function for realm-level
defaults section also as those settings are updated using different
endpoint.
2021-10-07 10:12:10 -07:00
Sahil Batra 4e14a98772 settings: Change name attribute of emojiset_choice element to emojiset.
This commit changes the name attribute of emojiset_choice element from
emojiset_group to emojiset such that we can use the name attribute to
get the name of setting from element.
2021-10-07 10:12:10 -07:00
Sahil Batra 4e901d56ae settings: Do not initialize save_organization_settings in build_page.
We directly declare the save_organization_settings function instead
of first declaring a variable and then setting it in the build_page
function. This is a prep commit for using save/discard widget in
realm-level defaults section.
2021-10-07 10:12:10 -07:00
Sahil Batra 7dc29f170d settings: Use save discard widget for showing indicator.
We use save discard widget to show saving/failed indicators
in the realm-level privacy and other settings subsections.
2021-10-07 10:12:10 -07:00
Sahil Batra a377f02fb7 settings: Use save discard widget for showing indicator.
We use save discard widget to show saving/failed indicators
in the user and realm-level notification settings.
2021-10-07 10:12:10 -07:00
Sahil Batra f777a74523 settings: Use save discard widget for showing indicator.
We use save discard widget to show saving/failed indicators
in the user and realm-level display settings.
2021-10-07 10:12:10 -07:00
Sahil Batra fa991b21a5 settings: Add option to show only indicator in save-discard widget.
This commit adds an option to show only indicator and not save/discard
buttons using the settings_save_discard_widget. This is a prep commit
for using save/discard buttons in the realm-level defaults section
while keeping the original behavior of showing only indicator in the
user-level settings.
2021-10-07 10:12:10 -07:00
Sahil Batra 3be2273316 settings: Fix incorrect use of two class attributes for same element. 2021-10-07 10:12:10 -07:00
rht d8e1409fe5 Slack import: Use Python ZipFile to unzip.
This should handle the case when non-ASCII Unicode folder names are
created on Windows.

Fixes #19899.
2021-10-07 09:24:19 -07:00
Aman Agrawal 86c3c5d6f1 for-pages: Increase line height of feature list items. 2021-10-07 09:05:07 -07:00
Eeshan Garg 7882a1a7f4 for/open_source: Add illustration for building inclusive commmunities. 2021-10-06 17:42:56 -07:00
Eeshan Garg c00aaee8ae for-open-source: Add streams and topics screenshots. 2021-10-06 17:42:56 -07:00
Mateusz Mandera 16321327f9 docs: Improve documentation on syncing UserProfile bool flags via ldap.
It's better to explicitly list the possibilities. Also, the
recommendation regarding is_active should be changed to a strict
"Don't", as Subscription.is_user_active is a denormalized field and
flipping a user's is_active will cause inconsistent state by leaving
Subscriptions unupdated. Given that similar things can be introduced in
the future for any other flag not officially supported by having a
setter, the recommendation should "Don't" in general.
2021-10-06 17:38:56 -07:00
Eeshan Garg 8fab13bb6c invites: Handle long invite URL overflow properly.
Fixes #19764.
2021-10-06 17:38:12 -07:00
Alya Abbott 8045355eee user docs: Document public vs. private stream creation permissions. 2021-10-06 17:33:19 -07:00
AnshVM f30e439ee3
message_edit: Hide recipient bar resolve topic if user lacks permission.
Previously, the "resolve/unresolve topic" checkmark option was displayed in recipient bars 
was presented to users regardless of whether they had permission to resolve topics in that
stream, which was confusing.

Fixes #19880.
2021-10-05 16:46:58 -07:00
Aman Agrawal 3b29c61409 auth: Add login buttons for web public access.
For users who are not logged in and for those who don't have
'prefers_web_public_view' set in session, we redirect them
to the default login page where they can choose to login
as spectator or authenticated user.
2021-10-05 16:30:40 -07:00
Aman Agrawal cc8cb5432e channel: Simplify password change tracking.
Move the password tracking variables from setup to channel module.
Track password_change requests in channel.
Directly use xhr object to store `password_changes` information.
Tests modified to accomodote this change by converting strings to
objects.
2021-10-05 10:23:43 -07:00
Aman Agrawal 8433ce90dc channel: Ask spectator to login for unauthenticated requests.
Get complete coverage for channel.
2021-10-05 10:23:43 -07:00
Aman Agrawal 50812ead0f setup: Move 401 error check to channel.
Channel already handles all the requests and general errors related to
them; so, channels seems the right place for this check.
2021-10-05 10:11:10 -07:00
Sahil Batra ab0d852fd5 register: Add can_create_web_public_streams to register response. 2021-10-05 10:10:32 -07:00
Sahil Batra 2c2c19c4d4 streams: Restrict creating web public streams based on new setting.
This commit restricts creating web public streams based on the
recently added create_web_public_stream_policy setting.
2021-10-05 09:56:00 -07:00
Sahil Batra 3916181770 models: Add can_create_web_public_streams helper.
This commit adds can_create_web_public_streams helper
in models.py which will be used to validate whether
user is allowed to create a web-public stream or not.

This commit also adds the checks for Realm.POLICY_OWNERS_ONLY
in check_has_permission_policies.
2021-10-05 09:48:50 -07:00
Sahil Batra 5f950e3efd models: Add create_web_public_stream_policy setting.
This commit adds create_web_public_stream_policy
field to Realm table which controls the roles that
can create web-public streams and by default its
value is set to POLICY_OWNERS_ONLY.
2021-10-05 09:28:28 -07:00
Sahil Batra be0387b189 test_subs: Enforce invite_only argument to be named.
This commit enforces invite_only argument to be named
in _test_user_settings_for_creating_streams. This will
help in improving readability especially when we will
add is_web_public argument in further commits.
2021-10-05 09:12:56 -07:00
Sahil Batra a63385f47f tests: Check all cases in check_has_permission_policies.
This commit adds tests for POLICY_EVERYONE and POLICY_NOBODY
in check_has_permission_policies test. The original code
used these values but these were not covered in test.
2021-10-05 09:12:56 -07:00
Sahil Batra c07b8e9b44 tests: Validate owner users also in check_has_permission_policies.
We should validate owner user also for all policy values. This is
important when we will add tests for POLICY_NOBODY in next commit.
2021-10-05 09:12:56 -07:00
Sahil Batra 855f7158ea models: Remove redundant check for POLICY_EVERYONE.
We check whether policy value is POLICY_EVERYONE in
has_permission itself so there is no need to handle
that in can_edit_topic_of_any_message.
2021-10-05 09:12:56 -07:00
Sahil Batra dbcdd08324 test_events: Test the email event when changing delivery_email.
We send three events when changing delivery email of a user - one
for updating the delivery_email field of user, one for avatar url
change, and one for changing email field if email_address_visibility
is set to 'EMAIL_ADDRESS_VISIBILITY_EVERYONE'.

There is already a test for delivery_email and avatar_url event with
the visibility setting set to 'EMAIL_ADDRESS_VISIBILITY_ADMINS_ONLY',
but no test for verifying the email update event sent when email
address is public, so this commit adds a test for checking the schema
of event for updating email field.
2021-10-05 09:12:20 -07:00
Tim Abbott f01ee5f17a lint: Fix line wrapping of new schema migrations doc. 2021-10-04 22:16:55 -07:00
Alex Vandiver 36f92d6843 docs: Document what to do when releases need migrations. 2021-10-04 22:10:24 -07:00
Tim Abbott 387237f263 stream settings: Fix exception for users who cannot create streams.
The previous logic, introduced in
fa928d5cd1, crashed when visiting
"manage streams" in the case that the user didn't have permission to
create any streams at all.

We remove the more complex logic.

This isn't the right long term fix, because it means users who can
only create public streams just get a vague "Insufficient permission"
error when trying to create a private stream (and vice versa), but is
sufficient to fix the critical bug of "manage streams" failing to load.

Fixes #19895.
2021-10-04 22:01:04 -07:00
Aman Agrawal eca8f0ffbf openapi: Fix broken link to documentation. 2021-10-04 19:46:29 -07:00
Sahil Batra eedd832ca9 events: Fix updating user email on changing email_address_visibility.
When email_address_visibility is changed and either the old value
or the updated value is EMAIL_ADDRESS_VISIBILITY_EVERYONE then
email field of all users is updated and we also send the corresponding
event to clients. But apply_event code did not update the data on
receiving the event, so this commit fixes the code to correctly
handle the event in apply_event.

(We also use this event when just changing a user's email address).

This commit also adds the tests and openapi schema for the event.
2021-10-04 17:24:31 -07:00
Sahil Batra 402968ccf3 test_events: Use the list defined in models.py for realm update tests.
We use the lists defined in models.py like Realm.COMMON_POLICY_TYPES,
Realm.COMMON_MESSAGE_POLICY_TYPES, etc. in do_set_realm_property_test
instead of using defining list there (eg - [4, 3, 2, 1]). We do the
same thing in do_set_realm_property_test in test_realm.py.

We skip email_address_visibility values in this commit because it
requires some change in openapi schema as well.
2021-10-04 17:04:54 -07:00
Eeshan Garg 8123e62643 topics: Add test for translation issue with resolve notifications.
This commit adds a test that makes sure that that the fix in
PR #19828 is working as expected.
2021-10-04 16:20:16 -07:00
Eeshan Garg c4aeb159c4 topics: Fix translation issue with moved topic notifications.
Since the calls to the translation function `_()` are made outside
of the `send_message_moved_breadcrumbs` function, these strings are
translated outside of the `with override_language` block, leading to
translated strings even when we don't intend them to be translated.

We now use gettext_lazy with appropriate testing to avoid this.
2021-10-04 16:20:16 -07:00
Alex Vandiver 3922b171a8 version: Update version and changelog after 4.7 release. 2021-10-04 21:52:52 +00:00
Alex Vandiver db934be064 CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar.  The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.

Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed.  As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.

Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.

A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.

The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-10-04 21:26:24 +00:00
Alex Vandiver 9f2df658f0 requirements: Add google-re2, a drop-in replacement for re using re2.
re2[1] compiles (strictly) regular expressions to deterministic finite
automata, which guarantees linear-time behavior; `google-re2` is a
drop-in replacement for the `re` module which uses re2 under the hood.

[1]: https://github.com/google/re2/
2021-10-04 16:59:54 +00:00
Alex Vandiver f1c61fbea1 openapi: Use more carefully-constructed regexes for markdown extension.
This removes a false-positive ReDoS, since the input is always
checked-in code.  It also incidentally refactors to make the regexes
be more explicit about the values they expect, and removes unnecessary
capturing groups.

It removes an optional parenthesized status code for fixtures,
unnecessary since 981e4f8946, as well as
optional key-value language options, unnecessary since
a2be9a0e2d.

Thank you to @erik-krogh and @yoff for bringing this to our attention.
2021-10-03 18:49:38 -07:00
Dinesh 206168ed28 puppeteer: Remove waitFors on deletion spinners.
Also added a waitFor for the modal to disappear and removed
waitFor for the spinner to hide which would obviously be hidden
with modal and it also doesn't add much value.
2021-10-03 18:47:42 -07:00
Tim Abbott 0cd68b895c test_stripe: Fix broken test in previous commit. 2021-10-01 17:37:27 -07:00
Eeshan Garg 763b3c27d6 corporate: Add contact support page. 2021-10-01 17:30:01 -07:00
Aman Agrawal c750d0e404 compose: Trim selected text before formatting.
We remove new line and space characters around the selected
text and then apply the requested formatting.
2021-10-01 16:45:51 -07:00